> >>so it becomes a part of the client side page request > "against your will" as it were. > > Yes, but this rises a question: > If my window.onerror can get events from some plugin code, this means that > this code is embeded and is treated as if it belonged to my window. > Thus, it has access to everything in my window, including the document, > forms, input fields in the forms, even those containing passwords, etc. > > What kind of breach is that?
This is exactly how user scripts work. They are installed by the user in some fashion, and can control browser functionality. This is how online password managers work, how Greasemonkey works, etc, etc, etc. If a user installs malware, of course that malware can do this sort of thing. There's nothing magically sacrosanct in HTTP or HTML to prevent this sort of thing. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359231 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm